topic Re: Maximum value for "latest" time modifier in Splunk Search

How to achieve maximum value for "latest" time modifier?

eregon — Fri, 21 Apr 2023 18:53:19 GMT

Dear fellow Splunkthusiasts!

I have found out one of old scheduled searches in my installation is failing with this error message:

Invalid value "+18y@y" for time term 'latest'

Looking closer, it turned out the search fails with any value beyond latest=01/19/2038:04:14:07 . I have noticed this value as expiration date for perpetual licenses as well.

I understand this is the maximum time that could be represented by four-byte signed integer as a number of seconds since 1970-01-01 00:00:00.

My question is: how do I specify - using time modifiers in SPL - that my time range includes future with no upper limit? I don't want to hard-code the above-mentioned time into my search, as that limit may (and surely will) change in the future, not to mention it is not very self-explanatory.

Re: Maximum value for "latest" time modifier

eregon — Thu, 20 Apr 2023 17:44:25 GMT

For some answers all you need to do is ask - then you realize yourself.

The answer to my question is: to search for any future events with no upper limit, just omit the latest=<...> time modifier (use only earliest=<...>) in your search.

Re: Maximum value for "latest" time modifier

richgalloway — Thu, 20 Apr 2023 17:59:26 GMT

I suggest hardcoding the upper limit. It's a well-known value among Linux aficionados. For the uninitiated, include a ```comment explaining why the value is what it is```.

Re: Maximum value for "latest" time modifier

richgalloway — Thu, 20 Apr 2023 18:00:37 GMT

Omitting latest is equivalent to specifying now. It does not search events with dates in the future.

Re: Maximum value for "latest" time modifier

eregon — Thu, 20 Apr 2023 18:25:18 GMT

Hi @richgalloway , thanks for fast responses!

Actually, I have tried omitting the latest value and Splunk shows me something else. As a run-everywhere example, I run the following SPL:

| tstats count where index=_internal

The line below the SPL edit box shows:

XXX events (4/19/23 8:00:00.000 PM to 4/20/23 8:12:11.000 PM)

(which corresponds to time picker being set to "Last 24 hours")

Now I change the SPL by adding earliest, omitting latest (leaving time picker untouched):

| tstats count where index=_internal earliest=-h@h

The status line now shows:

XXX events (4/20/23 7:00:00.000 PM to 1/19/38 4:14:07.000 AM)

Also, my original (site specific) SPL actually returns the future events. Is it possible this behavior has changed in recent versions of Splunk? (I am on 9.0.4)

Re: Maximum value for "latest" time modifier

isoutamo — Thu, 20 Apr 2023 19:22:31 GMT

Thank's!

This seems to be something new and also docs Examples of relative time modifiers didn't know that. They are told the old way which @richgalloway already told.

You should leave comments on that documentation that this behaviour has changes and is different what are in docs! Fortunately doc team is eager to update documentation when someone found errors or not enough clearly explained issues.

I also test this on Splunk 9.0.4.1and 9.0.3 on macOS and it works just like you describe.

r. Ismo

Re: Maximum value for "latest" time modifier

woodcock — Thu, 20 Apr 2023 23:12:56 GMT

I would hardcode it as "2147483647" which is maxint for time_t in Splunk. By the time it makes a difference, you won't be around.

Re: Maximum value for "latest" time modifier

lstewart_splunk — Fri, 21 Apr 2023 16:32:40 GMT

Hello from the Splunk Docs team!
Several people have reported this issue based on this thread.

We are looking into it and will updated this thread and the docs when we have more information.

Thanks for sending us the feedback!